A New Approach to Phishing!

In this poorly written and edited phish, the assailant pretends to warn you about being part of a scam as a way to provoke you to divulge some personal information in anticipation of an egregiously large reward. Don’t fall for this nonsense…

—–Original Message—–
From: Elliott Harris <talibusman.40@gmail.com>
Sent: Monday, March 27, 2023 7:38 AM
Subject: Scammed Victim Compensation

This Email/Letter is been directed to you because your email address and country name was found in one of the scammer Artists file and computer hard-disk while the investigation, maybe you have been scammed. You are therefore being compensated with the sum of
US$350,000 (US$) (Three Hundred and Fifty Thousand United States Dollars).

We have arranged your payment to be paid to you directly to your bank account in your country or via a check. To receive the above fund, you are therefore advised to contact the PNC Bank, USA officer who will transfer the fund to your bank account from Reserve Bank. We have advised the Bank Agent to open a private email address with a new number as to enable us to monitor this payment and the transfer communications to avoid further delay or misdirection of your fund.

Kindly contact the PNC Bank officer now with the below contact details:

Contact: Mr E. William Parsley III
Chief Operations Officer
Contact Email: fedheadquarters1@gmail.com

Please send all replies to: fedheadquarters1@gmail.com

Contact him now and forward the below details to him:

1. Your Full Name:
2. Your Age:
3. Occupation:
4. Cell/Mobile Number:

Yours in Service.
MR. WILSON STEWART.
United Nations Funds Investigation Unit.

Please make sure you are a scam victim to respond to this Email if this mail come as an Error Ignore it and Delete Immediately

Phishing Never Stops! (Also we’re back!)

Phishing emails that share a link from Google Drive sharing an Evaluation document with you, usually it was targeting entire departments & either had the Dean or the University President’s name included to lend legitimacy – however, this email came from outside of Baylor (likely a compromised Google account). Click the link gave you a log in screen that looked like a legit Baylor site. Entering your credentials would allow the phishers attempts to access your Baylor email & would result in Duo pushes or phone calls arriving on your enrolled device. Please do NOT approve any Duo authentication that you did not initiate – always report them as fraud (if you are using Push, press Deny & it should give you the ‘Submit as Fraudulent’ option) or call the Help Desk & report that you are getting Duo authentication requests that you did not initiate. Below is a screen shot of the phishing email – you can see the subject line with the document name & its odd extension (.doc or .docx are the usually extensions for Word documents) & the fact that it came from Allison B, but mentions Linda Livingstone (it even warns you it is from outside of Baylor).

Best practices when you receive any email, whether you know it is legit or not are:

  • Never click links in email or text messages.
  • Never provide personal information, including passwords.
  • Never authorize a Duo two-factor authentication request that you did not initiate.
  • Forward suspicious emails to Abuse@Baylor.edu for analysis.

Voicemail to Email Phishing

Some users receive legitimate voicemail to email communication, but the real emails containing legit Baylor voicemails will not contain any links. Any email like the one below that requires you to click a link (a hidden link at that) & authenticate should be viewed with skepticism (especially one with poor grammar & odd wording).

Gift Card Scam Still Prevalent

If you receive an email from your supervisor, department chair, dean, the Athletic Director, or the University President that contains some variation of ‘Are you on campus?’ or ‘Are you available?’ please double check the sending address as it is likely NOT from a Baylor.edu address – it may contain the real name of the people that hold those positions before the @ symbol, but after the @ symbol will be either a free email address provider or some other random company/domain. Something like the examples below:

Random email domain:

Using the person’s name before the @ symbol at a free email provider:

These scammers will NOT allow you to communicate with them by any other method other than email, using excuses like they are in a meeting that they do not know when it will be wrapping up & that phone use is not allowed in the meeting. The ultimate goal is to get you to meet their request by sending the codes off the back of gift cards (usually Steam, Google Play, Amazon, etc.) so that they get the funds from those cards immediately after you send the email.

If you receive one of this scam emails, please forward it to abuse at baylor dot edu so that we may block that address from sending to or receiving email from Baylor email addresses.

Tutor Over-Payment Scam

In this scam you get an unsolicited email asking you to either tutor this person’s child or relative, many times the people claim to be from overseas so they cannot meet you in person. If you engage they will eventually begin the money fraud by sending you a check for over the agreed upon amount & asking you to return a portion – this check is fraudulent & the funds do not exist so when you return the money it is removed from your balance & you are out the funds. Please forward any emails that look like the 2 examples below to abuse at Baylor dot edu. My favorite part about the first example below is that the scammer forgot to add in the name of the University & Department so it just stays as generic information – a dead giveaway that the email is fake. The second example below does a better job of being more specific to the person it was sent to by including the University & Department name.

Gift Card Scam

If you receive an email that appears to be from someone in leadership (President, VP, Dean, Chair, Athletic Director, etc) that is asking if you are available or on campus to complete a task, please over analyze the email address (not just the display name that shows up in your email program). It is likely that this is a scam email that will ask you to purchase hundreds of dollars of gift cards (usually iTunes or Google Play, but there have been others requested as well) & then to send the codes on the backs of the cards to the scammers. They will claim that they cannot talk on the phone due to the meeting & that they need the cards immediately to give to an important donor, award winner, alumni, etc. Gift card purchases are usually non-refundable so even if the scammer doesn’t get the money from the cards, it is unlikely that you will be reimbursed if you purchase them. Please forward any emails you receive that appear to be part of this scam to abuse at Baylor dot edu.

Below is an example of this scam’s initial or secondary contact before they actually tell you what the task is, notice how poor the grammar tends to be in the scam emails – we all make mistakes in our writing, but phishing & scam emails are usually much worse. Also notice that the sending email address, although it has Baylor & edu in it, they are before the @ symbol & this scam email is actually coming from a Gmail address (another popular example is to use a hyphen, like Bruiser-Bear@outlook.com).

 

 

 

 

 

Here is the text when they ask for the gift cards, it isn’t always exactly like this but the general message is always similar to what is shown below:

URGENT!!!

Good to hear from you, I am tied up right now i need you to walk down to the store and get me iTunes gift card or Steam gift card 5 pieces – $100 each, Scratched it all and take a picture of them and send it to me here. I would reimburse you when am through, also i would have call you but can’t receive or call at the moment because am in a conference call.

The scammers will also replicate the user’s signature or just steal something that looks like a signature. We have seen entire CV’s copied from a website, complete with head shot & teaching schedule used as email signatures during this scam. I made the example below a bit generic because I did not want it to look like any one person’s signature.

Professor and Department Chair
Office Hours
M/W — 10:00-11:00am and 2:00-4:00pm; F—9:00-10:00am
TR —by appointment (afternoons)
Education
Ph.D., State University,

Or the scammers might flip the closing with the name like below.

Bruiser Bear, Ph.D.

Regards.

This one is fairly straight forward, but likely not at all what Dr. Livingstone’s email signature looks like:

Best Regards,
Linda Livingstone
The President
Baylor University

Adult Content Extortion Emails…Again? Still?

We have seen a high number of emails that look like the one in the image below, but have various subject lines & a different MsgID number at the bottom. Everything these emails threaten is false, including the fact that they sent it from your own email account. The scammers are using a technique called email spoofing, which is the creation of a message with a forged sender address intended to mislead and/or prank the recipient about the origin of the message. This is very common in spam, phishing, & other scam messages. It is the equivalent of placing someone else’s return address label on a letter sent via the postal service.

We are able to block these emails based on the Bitcoin wallet addresses listed, but because they are sent from random email addresses from various free email providers we are unable to stop them all. Please continue to ignore these emails, but also feel free to forward them to abuse at baylor dot edu so that we may continue our efforts to block as many as we are able.

Sample Subject Lines:

  • No longer private!
  • Your friends will be shocked!
  • You dirty dog!
  • I got something from you!
  • You better read this!
  • Your chance!
  • Shame on you!

Office 365 Business Essentials Bill Is Ready

In this phishing email the scammers are hoping you click on the link to pay the invoice, but in reality you will just be giving away your credentials instead. As Baylor Faculty, Staff, & Students, you do not have any Office 365 bills to pay. Also, if you notice the sending address has nothing to do with Microsoft or Office & the link goes to a site that lacks Microsoft or Office in the URL. You can safely ignore & delete this phishing email from your inbox.

Quarterly Pay Information

Baylor does not communicate payroll changes in this format – the email address is not a Baylor address, the link does not go to a Baylor site. The other telltale signs of a phish are the generic greeting, the poor spacing, & the generic closing. If you receive an email that looks anything like this one, please ignore it by not clicking the link & delete the email from your inbox.

Phishing from the University at Buffalo?!?!?

Earlier today over a thousand users received an email saying that due to repeated “shot down emails sent to our internal server” that your email would be deactivated until you clicked a button that would “Login to Restore Account”. The phishers must have confused UB (University at Buffalo) for BU (Baylor University). This email did not originate from Baylor & was a phishing attempt that can be ignored & deleted. I hope this one was obvious to Baylor email users, as always please forward any suspicious emails to abuse at Baylor dot edu.